Security experts are warning that newly discovered malware targeting Chinese users of Google's Android mobile operating system has "botnet-like capabilities" that could take control of an Android phone by communicating with a central command-and-control server.

The malware, which has been dubbed "Geinimi," is apparently being "grafted" onto repackaged legitimate Android apps and then posted on Chinese app stores, PC World reports.

San Francisco, Calif.-based security research firm Lookout discovered the malware after a concerned user posted to a forum. In its writeup of the Trojan, Lookup called it "the most sophisticated Android malware we've seen to date" and the first malware to display botnet-like capabilities in the wild. Once installed on a user's phone, the malicious software is able to "receive commands from a remote server that allow the owner of that server to control the phone."

Though Lookout admits that the purpose of the Trojan isn't clear, "the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet," wrote the company.

During its analysis, Lookout detected Geinimi sending location coordinates device identifiers, downloading and prompting the user to install an app, prompting the user to uninstall an app, and enumerating and sending a list of installed apps to the control server. However, app installations and uninstallations still need to be confirmed by the user.

"Geinimis author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities," the post continued. "In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware."

No instances of the Geinimi Trojan have been seen in the official Google Android Market, as all affected apps have been discovered on third-party app stores in China.

Mobile security

As the sales of smartphones and other mobile devices have increased, security threats to mobile applications have increased as well. Earlier this month, security vendor AdaptiveMobile reported that mobile malware infections had grown 33 percent year-over-year. Google's Android platform saw the greatest rise, 400 percent, in targeted exploits, though Android's infection rate remained low compared to older platforms. Reported exploits aimed at the iPhone declined year over year.

In July, a study of over 300,000 free applications by Lookout revealed that applications for both iPhone and Android were regularly accessing the user's contact data. The study found that 14 percent of the surveyed applications from Apple's App Store, while 8 percent of tested applications on Android could view the contact list.

During the study, Lookout discovered that free wallpaper applications on Google's Android Market were collecting private user data and forwarding it to servers in China. Lookout asserted that there was "no proof of malicious intent," but cautioned that the apps had sent sensitive data, including "a devices phone number, subscriber identifier, and currently programmed voicemail number" to the server.

Apple's approach of curating the App Store, though derided by some as "closed," has thus far proved successful at preventing iOS devices from having a live virus problem. The iPhone maker employs a strict vetting process for iOS apps before approving them for the App Store.

Google's Android Market app security, on the other hand, simply warns the user that an app needs permissions during installation.

iOS apps run in a discrete 'sandbox' environment that prevents them from infecting the system. And apps must be signed by a certificate from Apple, preventing the kind of third-party repackaging confusion that the Geinimi Trojan is currently exploiting in the Chinese market.

Privacy rights

After a report published by The Wall Street Journal earlier this month revealed that Android and iOS applications were sending unique device identifiers, location data, and even "age, gender or other personal details" to outside sources, one iPhone user sued Apple on behalf of all iPhone users over alleged violations of federal privacy laws. The lawsuit calls attention to the issue of user privacy rights, as advertisers have sought to glean increasing amounts of valuable information on users and their usage patterns.

Though Apple allows users to opt out of location sharing on its iAd network, it appears that Apple hasn't fully enforced rules meant to protect user privacy.

In October, a security report found that 68 percent of the App Store's top iPhone apps transmit unencrypted unique device identifiers, which can be easily linked to personal information.

Earlier this year, Apple CEO Steve Jobs called out one mobile analytics firm after learning that the firm was collecting device data in violation of Apple's privacy policy. The firm had used the data to reveal that Apple was testing a tablet device on its campus ahead of Apple's official reveal of the iPad. According to Jobs, Apple's employees went "through the roof" when they learned that device information was being collected without its knowledge.

The firm quickly responded that it would comply with the respective changes to the iPhone OS terms of service.

Apple was also the subject of a U.S. Congressional inquiry after an inaccurate and sensational LA Times report suggested that changes to the iOS privacy policy would result in Apple tracking iPhone users' locations. Apple promptly responded to the concerns in a letter.

"Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers," the letter read. "Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."

Seriously though... But Android is free! And Open! and Wonderful! And you can root it! Just don't be surprised when the FBI comes and bashes down your door once your Android phone is hijacked to execute DOS attacks on the Govt.

So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.

So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.

Nope, you just download any app and it has access to do pretty much anything it wants to do.

Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:

"Would you like to give everything about yourself away to everyone and anyone? Click OK to proceed.
Oh, BTW, we will have full access to making your phone do whatever we want without you knowing."

Nope, you just download any app and it has access to do pretty much anything it wants to do.

Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:

"Would you like to give everything about yourself away to everyone and anyone? Click OK to proceed.
Oh, BTW, we will have full access to making your phone do whatever we want without you knowing.

The SMS app looks like it needs access to all those services, especially Your Messages.

The My Tracks app looks like it needs all those services for tracking... unless that is music player app j/k.

The only one that sticks out is the Wallpaper app. Surely it needs storage access. I guess network if it updates through the app or has ads, since its free. The need to read phone calls is a stumper, though.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"

So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.

The SMS app looks like it needs access to all those services, especially Your Messages.

The My Tracks app looks like it needs all those services for tracking... unless that is music player app j/k.

The only one that sticks out is the Wallpaper app. Surely it needs storage access. I guess network if it updates through the app or has ads, since it’s free. The need to read phone calls is a stumper, though.

I'm obviously being a bit tin-foil hat here, but once you provide permissions to those apps, the app doesn't have to ask you anymore to do certain things.

In the case of the SMS app, of course, it needs that access when you are using it. But after you give it permission, it could conceivably "directly call phone numbers", "send SMS", "read contact data", etc. *behind your back*.

I'm surprised the whole Android app system isn't more abused, maybe we'll discover more as time goes by.

In any case I notice people in general are starting to care less. I have two friends that had their hotmail accounts hijacked, their hotmail sends out spam messages to various contacts several times a week, sometimes several times a day. But they haven't resolved that issue for whatever reason even though I told one of them.

I'm obviously being a bit tin-foil hat here, but once you provide permissions to those apps, the app doesn't have to ask you anymore to do certain things.

In the case of the SMS app, of course, it needs that access when you are using it. But after you give it permission, it could conceivably "directly call phone numbers", "read contact data", etc. *behind your back*.

Yeah, they could, but at least you know what they could do. Obviously, you need to pay attention to what it is asking permissions for.

Consider the flashlight app that enabled tethering, if you noticed that a flashlight app was asking network permissions your radar must ping. If that developer had malicious intent, you might be able to protect yourself.

The point is that you never know when or why they're doing it. There is no data security whatsoever once you give permission. And there's no app screening process, so there's no way to know which apps might have a secret back door. It's really scary, actually, especially when your most personal data is in the mix.

I'm very happy with the level of control under iOS, TYVM. I don't need the security mess that is Android.

Posted a comment about this a week ago, and this mood has been floated around a lot. Basically Android's "openness" also makes it more vulnerable to malware. Look for to Norton Mobile for Android in a few months.

I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.

I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...

I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.

I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...

I always thought Google OS might replace Microsoft for the masses, it seems it is in more ways than I had imagined. How soon before they will need a version of that Norton type crap on them?

Been saying this for months now. All you had to do was look at the way apps are 'approved' and you know that malicious code is being written and downloaded on Droid phones. The problem will only get worse as time goes on, unless Google does something to police their apps.

Droid app store might as well by synonymous with Limewire, Pirate Bay, etc...

Recently at a At&t store looking at phones and briefly looked at the Galaxy Tab, preloaded on the home screen is the AVG application. I thought to myself it's the same shit like Microsoft, will people ever learn?, will people fall in the same trap as the industry did with Microsoft?. Who knows what the future will hold for portable devices.

I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.

I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...

Help me out here please.

It has it's advantages but imo it's critizised because once you are in there you are the owners b*tch for-e-ver.

I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.

I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...

Help me out here please.

"Walled Garden" is a term people like to use to try and convince you that Apple is anti-freedom, evil, controlling and locking you in all for the sake of ever higher prices. It's a scare tactic designed to make you think that if you go Apple there is no turning back or getting out, ever, and you'll become less American and pay higher taxes.

Quote:

Originally Posted by EDMStitchy

Recently at a At&t store looking at phones and briefly looked at the Galaxy Tab, preloaded on the home screen is the AVG application. I thought to myself it's the same shit like Microsoft, will people ever learn?, will people fall in the same trap as the industry did with Microsoft?. Who knows what the future will hold for portable devices.

2nd best and crappy wins out for the masses because it can be produced in insanely huge quantities and is cheaper. Android looks to follow that path.

"Walled Garden" is a term people like to use to try and convince you that Apple is anti-freedom, evil, controlling and locking you in all for the sake of ever higher prices. It's a scare tactic designed to make you think that if you go Apple there is no turning back or getting out, ever, and you'll become less American and pay higher taxes.

So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.

No but it's probably going to affect international users more. They will have cultures that drive them to different store models with different content and they will take some of the popular apps, inject them with trojans and put them on the store. The store itself would be trusted, the app developer would be trusted, it's the process by which the app gets onto the store which isn't.

Google can require that developers provide hash verifications of their apps and that way it at least limits trojans to bad developers.

Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:

So, is strange than an SMS application has permission to read and send SMS and a GPS Track logger made by Google and that is linked with your Google Account has permission to track your location and connect yo your google account?

So, is strange than an SMS application has permission to read and send SMS and a GPS Track logger made by Google and that is linked with your Google Account has permission to track your location and connect yo your google account?

Why would a tracking app need access to more than my location? Why does it need access to my google account! Perhaps, so that it can spam the local shops?

"Walled Garden" is a term people like to use to try and convince you that Apple is anti-freedom, evil, controlling and locking you in all for the sake of ever higher prices. It's a scare tactic designed to make you think that if you go Apple there is no turning back or getting out, ever, and you'll become less American and pay higher taxes.

So, is strange than an SMS application has permission to read and send SMS and a GPS Track logger made by Google and that is linked with your Google Account has permission to track your location and connect yo your google account?

Quote:

Originally Posted by iStud

Why would a tracking app need access to more than my location? Why does it need access to my google account! Perhaps, so that it can spam the local shops?

Quote:

Originally Posted by jfanning

Are you honestly complaining that an SMS applications can have access to your SMS messages?

There are two issues right now I see with Android permissions.

The first is apps that request permissions for things that you do not want it to access, for example a tracking app linking up with your entire Google Account, or a Wallpaper app that wants access to "Phone Calls", as shown in the screenshot.

Secondly, more pertinently, is that the issue is not that "An SMS app needs access to SMS". The point is that once you have granted permission that app can then send SMS's behind your back without you knowing. Apple's iOS and App Store has various layers that prevent this sort of thing. From private API use, to some level of human-checking of apps and a reasonably robust review and rating system.

The first is apps that request permissions for things that you do not want it to access, for example a tracking app linking up with your entire Google Account, or a Wallpaper app that wants access to "Phone Calls", as shown in the screenshot.

The example is an app from Google linked to Google Maps, so it needs access to your Google Account.

The second (the wallpaper) show one problem with Android permissions, granularity or, perhaps, better grouping. READ_PHONE_STATE permission has to be allowed to read de phone UUID. Maybe it has to be splited to only access this info.

Quote:

Originally Posted by nvidia2008

Secondly, more pertinently, is that the issue is not that "An SMS app needs access to SMS". The point is that once you have granted permission that app can then send SMS's behind your back without you knowing. Apple's iOS and App Store has various layers that prevent this sort of thing. From private API use, to some level of human-checking of apps and a reasonably robust review and rating system.

Secondly, more pertinently, is that the issue is not that "An SMS app needs access to SMS". The point is that once you have granted permission that app can then send SMS's behind your back without you knowing. Apple's iOS and App Store has various layers that prevent this sort of thing. From private API use, to some level of human-checking of apps and a reasonably robust review and rating system.

Maybe I'm missing it, but what is stopping an SMS app from doing the same thing on an iPhone? Human checking of apps? That's not exactly an infallible process, like the camera app that just got yanked because it changed the volume button's function and was prominently listing that as a feature of the program.

Are you honestly complaining that an SMS applications can have access to your SMS messages?

No, we're pointing out that there's no security when that SMS application, which may in fact have a legitimate need to access your SMSes, can also read them all, archive them, mine them for information like your friends' contact details, and sell those details or use them for spamming purposes.

They can search your SMSes for other details like credit card numbers and passwords, if you're stupid enough to send those things over SMS communications.

With no screening process, how on Earth can you be sure these things aren't happening right now?

No but it's probably going to affect international users more. They will have cultures that drive them to different store models with different content and they will take some of the popular apps, inject them with trojans and put them on the store. The store itself would be trusted, the app developer would be trusted, it's the process by which the app gets onto the store which isn't.

Google can require that developers provide hash verifications of their apps and that way it at least limits trojans to bad developers.

So most AMERICAN Android users have little to worry about?

What utter BS.

I want to know the apps I download have been through Apple's rigorous clearing process. Nerds who've bought Google's PR garbage may call that a walled garden. I call it safe computing.

The example is an app from Google linked to Google Maps, so it needs access to your Google Account.

I can use google maps without having to login to any google account. It is not a prerequisite on a computer, why do they make it needed in an Android device? Your point doesn't make sense to me, sorry.

I can use google maps without having to login to any google account. It is not a prerequisite on a computer, why do they make it needed in an Android device? Your point doesn't make sense to me, sorry.

And you can use Mytracks without linking it with an account but it can upload the tracks to Google Maps or as an spreadsheet to Google docs and then it must be linked to an account.

Is not a requeisite to link an account but if you want to link it it has to be allowed though permissions